Lecture 01 - Introduction Eran Yahav 1. 2 Who? Eran Yahav Taub 734 Tel: 8294318 Monday 13:30-14:30

Lecture 01 - Introduction Eran Yahav 1

2 Who? Eran Yahav Taub 734 Tel: 8294318 yahave@cs.technion.ac.il Monday 13:30-14:30 http://www.cs.tecnion.ac.il/~yahave Yuri Meshman (TA) Taub 329 Tel: 8294890

What?  Understand program analysis & synthesis  apply these techniques in your research  understand jargon/papers  conduct research in this area  We will cover some areas in more depth than others  What will help us  TA: Yuri Meshman  3-5 homework assignments  Small lightweight project  No exam 3

Your slides have dark background 4 (image source: http://www.apolloideas.com/blog/archives/201)http://www.apolloideas.com/blog/archives/201

Your slides don’t have everything you say written on them  Yes, I know, this is by design  Slides are a teaching aid  Not a replacement for attending lectures  If you don’t attend lectures or attend and don’t listen, you will miss some things  If you want slides that have all the material written on them nicely, that format is commonly known as a textbook  See how horrible this slide is? You won’t see many slides with so much text as this one in the rest of the course 6

Software is Everywhere

Unreliable

December 31, 2008 10

Zune Bug 1 while (days > 365) { 2 if (IsLeapYear(year)) { 3 if (days > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 } 11

Zune Bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 } 12

Zune Bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 } Suggested solution: wait for tomorrow 13

February 25, 1991 14

Patriot Bug - Rounding Error  Time measured in 1/10 seconds  Binary expansion of 1/10 (non-terminating): 0.0001100110011001100110011001100....  24-bit register (chopped) 0.00011001100110011001100  error of  0.0000000000000000000000011001100... binary, or ~0.000000095 decimal  After 100 hours of operation error is 0.000000095×100×3600×10=0.34  A Scud travels at about 1,676 meters per second  so travels more than half a kilometer in this time 15

Patriot Bug - Rounding Error  Time measured in 1/10 seconds  Binary expansion of 1/10 (non-terminating): 0.0001100110011001100110011001100....  24-bit register (chopped) 0.00011001100110011001100  error of  0.0000000000000000000000011001100... binary, or ~0.000000095 decimal  After 100 hours of operation error is 0.000000095×100×3600×10=0.34  A Scud travels at about 1,676 meters per second, and so travels more than half a kilometer in this time Suggested solution: reboot every 10 hours 16

August 13, 2003 I just want to say LOVE YOU SAN!! (W32.Blaster.Worm) 17

Windows Exploit(s) Buffer Overflow void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }./a.out abracadabra Segmentation fault Stack grows this way Memory addresses Previous frame Return address Saved FP char* x buf[2] … (YMMV) 18

Windows Exploit(s) Buffer Overflow void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }./a.out abracadabra Segmentation fault Stack grows this way Memory addresses Previous frame Return address Saved FP char* x buf[2] … ab (YMMV) 19

Windows Exploit(s) Buffer Overflow void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }./a.out abracadabra Segmentation fault Stack grows this way Memory addresses Previous frame Return address Saved FP char* x buf[2] … ab ra (YMMV) 20

Windows Exploit(s) Buffer Overflow void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }./a.out abracadabra Segmentation fault Stack grows this way Memory addresses Previous frame Return address Saved FP char* x buf[2] … ab ra ca (YMMV) 21

Windows Exploit(s) Buffer Overflow void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }./a.out abracadabra Segmentation fault Stack grows this way Memory addresses Previous frame Return address Saved FP char* x buf[2] … ab ra ca da (YMMV) 22

Windows Exploit(s) Buffer Overflow void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }./a.out abracadabra Segmentation fault Stack grows this way Memory addresses Previous frame Return address Saved FP char* x buf[2] … ab ra ca da br (YMMV) 23

(In)correct Usage of APIs  Application Trend: Increasing number of libraries and APIs – Non-trivial restrictions on permitted sequences of operations  Typestate: Temporal safety properties – What sequence of operations are permitted on an object? – Encoded as DFA e.g. “Don’t use a Socket unless it is connected” initconnectedclosed err connect()close() getInputStream() getOutputStream() getInputStream() getOutputStream() getInputStream() getOutputStream() close() * 24

Challenges class SocketHolder { Socket s; } Socket makeSocket() { return new Socket(); // A } open(Socket l) { l.connect(); } talk(Socket s) { s.getOutputStream()).write(“hello”); } main() { Set set = new HashSet (); while(…) { SocketHolder h = new SocketHolder(); h.s = makeSocket(); set.add(h) } for (Iterator it = set.iterator(); …) { Socket g = it.next().s; open(g); talk(g); }

But there is hope ! Microsoft’s Static Driver Verifier (from MSR) Found 100 ’s of errors in 140 drivers, right before Windows 7 release Microsoft uses and distributes the tool 26

But there is hope ! “Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability." -- Bill Gates, 2002 27

But there is hope ! The Astree Static Analyzer has been used to automatically prove the absence of run-time errors in Airbus’s A340 and A380’s primary flight control software 28

But there is hope ! Companies such as IBM, Coverity, Klocwork, Grammatech create sophisticated code analysis tools 29

Theory + Practice In this course, we will study the core theoretical principles behind these approaches and learn how to apply them to build practical analysis engines 30

Approaches to Reliability General problem undecidable. There are two general classes of automated techniques for program analysis. We will cover both. 31

All behaviors in the universe Program BehaviorsOver-approximation Under-approximation Approaches to Reliability

Under-approximations  standard testing, guided dynamic analysis, symbolic execution, …  Focuses on a subset of behaviors  Which subset?  What guarantees can it provide?  We will cover some of the more interesting ones 33

Over-approximations  aka “Static Analysis”  abstract interpretation, dataflow analysis, constraint-based analysis, type and effect systems  Always err on the safe side  Many applications: verification, bug finding, code synthesis, program understanding, … 34

Static Analysis Reason statically (at compile time) about the possible runtime behaviors of a program “The algorithmic discovery of properties of a program by inspection of its source text 1 ” -- Manna, Pnueli 1 Does not have to literally be the source text, just means w/o running it 35

Static Analysis  Formalize software behavior in a mathematical model (semantics)  Prove properties of the mathematical model  Automatically, typically with approximation of the formal semantics  Develop theory and tools for program correctness and robustness 36

program specification Abstract counter example Analyzer Valid Static Analysis

Verification Challenge I main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Determine what states can arise during any execution Challenge: set of states is unbounded 38

Abstract Interpretation main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Recipe 1) Abstraction 2) Transformers 3) Exploration Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states Determine what states can arise during any execution 39

1) Abstraction main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y }  concrete state  abstract state (sign)  : Var  Z  # : Var  {+, 0, -, ?} xyi 31 7 xyi ++ + 32 6 xyi … 40

2) Transformers main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y }  concrete transformer  abstract transformer xyi ++ 0 xyi 31 0 y = y + 1 xyi 32 0 xyi ++ 0 +- 0 +? 0 + 00 ++ 0 +? 0 +? 0 41

3) Exploration ++ ? ++ ? xyi main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } ++ ? ++ ? ?? ? xyi ++ ? ++ ? ++ ? ++ ? ++ ? ++ ? 42

Incompleteness 43  main(int i) { int x=3,y=1; do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y } +? ? +? ? xyi +? ? ++ ? ?? ? xyi +? ? +? ? +? ?

Parity Abstraction 44 challenge: how to find “the right” abstraction while (x !=1 ) do { if (x % 2) == 0 { x := x / 2; } else { x := x * 3 + 1; assert (x %2 ==0); }

Example: Shape (Heap) Analysis void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } 45

Example: Shape (Heap) Analysis void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 46

Example: Shape (Heap) Analysis emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 47

Example: Shape (Heap) Analysis t emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 48

Example: Shape (Heap) Analysis t t emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 49

Example: Shape (Heap) Analysis t t t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 50

Example: Shape (Heap) Analysis t t t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 51

Example: Shape (Heap) Analysis x t t t t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 52

Example: Shape (Heap) Analysis x t t x n t t t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 53

Example: Shape (Heap) Analysis x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 54

Example: Shape (Heap) Analysis t x n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 55

Example: Shape (Heap) Analysis t x n x t n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 56

Example: Shape (Heap) Analysis t x n x t n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 57

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 58

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x nn 59

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x nn x t n n 60

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x nn x t n n x t n n n 61

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x nn x t n n x t n n n x t n n n 62

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x nn x t n n x t n n n x t n n n x t n n n top 63

Example: Shape (Heap) Analysis t x n x t n x t n n x t n n x t t x n t t n t x t x t x emp void stack-init(int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x nn x t n n x t n n n x t n n n x t n n n top 64

Static Analysis in one slide 1) Abstraction Concrete state x t n n 65

Static Analysis in one slide 1) Abstraction Concrete state x t n nn x t n 66

Static Analysis in one slide 1) Abstraction Concrete stateAbstract state x t n nn x t n 67

Static Analysis in one slide 1) Abstraction Concrete stateAbstract state x t n nn x t n 2) Transformers n x t n t n x n t->n = x 68

Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 69

emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 70

t emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 71

t t emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 72

t t t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) 73

t t t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x Top 74

t t t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x Top 75

x t t t t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x Top 76

x t t x n t t t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x Top 77

x t t x n t t n t x t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) t x Top 78

x t t x n t t n t x t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) n t x Top t x 79

t x n x t t x n t t n t x t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) n t x Top t x 80

t x n x t n x t t x n t t n t x t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) n t x Top t x 81

t x n x t n x t n n x t t x n t t n t x t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) n t x Top t x 82

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) n t x Top t x 83

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) n t x Top t x 84

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) x t n Top n n t x t x 85

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n x t n n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) x t n Top n n t x t x 86

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n x t n n n x t n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) x t n Top n n t x t x 87

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n x t n n n x t n t n x n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) x t n Top n n t x t x 88

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n x t n n n x t n t n x n x t n n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) x t n Top n n t x t x 89

x t n n t x n x t n x t n n x t t x n t t n t x t x t x emp x t n n x t n n n x t n t n x n x t n n Static Analysis void stack-init (int i) { Node* x = null; do { Node  t = malloc(…) t->n = x; x = t; } while(--i>0) Top = x; } assert(acyclic(Top)) x t n Top n n t x t x x t n n 90

Example: Polyhedra (Numerical) Domain proc MC(n:int) returns (r:int) var t1:int, t2:int; begin if (n>100) then r = n-10; else t1 = n + 11; t2 = MC(t1); r = MC(t2); endif; end var a:int, b:int; begin b = MC(a); end What is the result of this program? 91

McCarthy 91 function proc MC (n : int) returns (r : int) var t1 : int, t2 : int; begin /* (L6 C5) top */ if n > 100 then /* (L7 C17) [|n-101>=0|] */ r = n - 10; /* (L8 C14) [|-n+r+10=0; n-101>=0|] */ else /* (L9 C6) [|-n+100>=0|] */ t1 = n + 11; /* (L10 C17) [|-n+t1-11=0; -n+100>=0|] */ t2 = MC(t1); /* (L11 C17) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0|] */ r = MC(t2); /* (L12 C16) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0; r-t2+10>=0; r-91>=0|] */ endif; /* (L13 C8) [|-n+r+10>=0; r-91>=0|] */ end var a : int, b : int; begin /* (L18 C5) top */ b = MC(a); /* (L19 C12) [|-a+b+10>=0; b-91>=0|] */ end if (n>=101) then n-10 else 91 92

Some things that should trouble you  does a result always exist?  does the recipe always converge?  is the result always “the best”?  how do I pick my abstraction?  how do come up with abstract transformers? 93

Recap: program analysis  Reason statically (at compile time) about the possible runtime behaviors of a program  use sound over-approximation of program behavior  abstract interpretation  abstract domain  transformers  exploration (fixed-point computation)  finding the right abstraction? 94

Program Synthesis  Automatically synthesize a program that is correct-by-construction from a (higher-level) specification 95 programspecification Synthesizer

Program Synthesis: Techniques  Gen/Test  Theorem Proving  Games  SAT/SMT Solvers  Transformational Synthesis  Abstract Interpretation  …  (we will not be able to cover all in depth) 96

Synthesis Challenge I signum(int x) { if (x>0) return 1; else if (x<0) return -1; else return 0; } 97 Challenge: Generate efficient assembly code for “signum” # x in d0 add.l d0, d0 | add d0 to itself subx.l d1,d1 | subtract (d1+carry) from d1 negx.l d0 | put (0-d0-carry) into d0 addx.l d1, d1 | add (d1+carry) to d1 # signum(x) is now in d1

Superoptimizer [Massalin, 1987]  exhaustive search over assembly programs  order search by increasing program length  check input/output “equivalence” with original code  boolean test – construct boolean formula for functions and compare them  not practical  probabilistic test – run many times on some inputs and check if the outputs of both programs are the same  expensive, only applied to critical pieces of code (e.g., common libraries) 98

Denali Superoptimizer [Joshi, Nelson, Randall, 2001] “a refutation-based automatic theorem-prover is in fact a general-purpose goal-directed search engine, which can perform a goal-directed search for anything that can be specified in its declarative input language. Successful proofs correspond to unsuccessful searches, and vice versa.” 99 (more details later in the course…) Turn the search of a program into a search of counter-example in a theorem prover

{ ……………… …… …………………. ……………………. ………………………… } P1() Synthesis of Atomic Sections 100 { …………………………… ……………………. … } P2() atomic { ………………….. …… ……………………. ……………… …………………… } P3() atomic Safety Specification: S

{ ……………… …… …………………. ……………………. ………………………… } P1() { …………………………… ……………………. … } P2() { ………………….. …… ……………………. ……………… …………………… } P3() Safety Specification: S 101 Synthesis of Atomic Sections

less atomic more atomic 102 Semantic Optimized Search [vechev, yahav, bacon and rinetzky, 2007]

unsigned int got_lock = 0;... 1: while(*) {... 2: if (*) { 3: lock(); 4: got_lock++; }... 5: if (got_lock != 0){ 6: unlock(); } 7: got_lock--;... } lock() { lock: LOCK:=1;} unlock(){ unlock: LOCK:=0;} Specification P1: do not acquire a lock twice P2: do not call unlock without holding the lock P1: always( line=lock implies next( line!=lock w-until line=unlock )) P2: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock )) 103 (slide adapted with permission from Barbara Jobstmann) Program Repair as a Game [Jobstmann et. al. 2005]

How to Repair a Reactive System? 1. Add freedom  choice for the system, space of permitted modifications to the system 2. Source code ➝ transition system (game)  non-determinism in the program (demonic)  non-determinism in permitted modification (angelic) 3. Specification ➝ monitor acceptance 4. Check if we can find system choices s.t. model is accepted by monitor  product of trans. system and monitor  search for winning strategy in game 104 (slide adapted with permission from Barbara Jobstmann)

unsigned int got_lock = 0;... 1: while(*) {... 2: if (*) { 3: lock(); 4: got_lock = 1; }... 5: if (got_lock != 0){ 6: unlock(); } 7: got_lock = 0;... } lock() { lock: LOCK:=1;} unlock(){ unlock: LOCK:=0;} Specification P1: do not acquire a lock twice P2: do not call unlock without holding the lock P1: always( line=lock implies next( line!=lock w-until line=unlock )) P2: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock )) 105 (slide adapted with permission from Barbara Jobstmann) Repaired Program

Partial Programs and SKETCH [aLisp: Andre et al 2002, Sketch: Solar-Lezama et al 2006]  partial program freedom in games  defines a space of program  Given a partial program P with control variables C (“holes”), a specification S, the goal is to find an assignment for C such that P[C]  S 106 double(x) { return 2 * x; } double(x) { return x + x; } Synthesizer double(x) { return ?? * x; }

SKETCH: isolate rightmost 0 107 bit[W] isolate0 (bit[W] x) { // W: word size bit[W] ret=0; for (int i = 0; i < W; i++) if (!x[i]) { ret[i] = 1; break; } return ret; } bit[W] isolate0Fast (bit[W] x) implements isolate0 { return ~x & (x+1); } bit[W] isolate0Sketched(bit[W] x) implements isolate0 { return ~(x + ??) & (x + ??); } (Hacker’s Delight, H.S. Warren)

Synthesis as generalized SAT  The sketch synthesis problem  c  x spec(x) = sketch(x,c)  Counter-example driven solver I =  x = random-input() do I = I  {x} find c such that  i I (spec(i)=sketch(c,i)) if cannot find c then exit(“non-satisfiable sketch'') find x such that spec(x)  sketch(x,c) while x != nil return c

SMARTEdit [Lau et al, 2000]  synthesize editor macros (programs) from examples  behind the scenes: machine learning techniques 109

Recap: program synthesis  Automatically synthesize a program that is correct-by-construction from a (higher-level) specification  many techniques  games  games with abstraction (abstract interpretation) 113

Next: Objectives 114

Objective 1 115 Understand the principles behind automated reasoning techniques and be able to apply them in your research    

Objective 2 116 Understand how to use these principles to build a practical working analyzer

Objective 3 117 Gain familiarity with the state-of-the-art in the research area and be able to conduct research

Important Side Objective 118 Have fun !

119  Program Semantics: basis for everything  Dynamic Analysis: using the semantics for cool analyses  Abstract Interpretation: theory of approximation  Predicate abstraction: a widely used form of A.I.  Pointer analysis: how to abstract heaps  Symbolic execution: merge of static and dynamic  Program synthesis: discovery of code  Program analysis frameworks: building an analysis  More…? Coming up (extremely optimistic! more likely, we’ll cover half of it)

Course Project 120  Implement a program analyzer  There is a default project  we will give you a template to simplify your work  But, if you have your own idea, we can discuss it.  Please do not copy code from others

References  Patriot bug:  http://www.cs.usyd.edu.au/~alum/patriot_bug.html http://www.cs.usyd.edu.au/~alum/patriot_bug.html  Patrick Cousot’s NYU lecture notes  Zune bug:  http://www.crunchgear.com/2008/12/31/zune-bug-explained-in-detail/http://www.crunchgear.com/2008/12/31/zune-bug-explained-in-detail/  Blaster worm:  http://www.sans.org/security- resources/malwarefaq/w32_blasterworm.php http://www.sans.org/security- resources/malwarefaq/w32_blasterworm.php  Interesting CACM article  http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of- code-later/fulltext http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of- code-later/fulltext  http://journals.cambridge.org/download.php?file=%2FMSC%2F MSC19_05%2FS0960129509990041a.pdf&code=d5af66869c188 1e31339879b90c07d0c http://journals.cambridge.org/download.php?file=%2FMSC%2F MSC19_05%2FS0960129509990041a.pdf&code=d5af66869c188 1e31339879b90c07d0c 121

Lecture 01 - Introduction Eran Yahav 1. 2 Who? Eran Yahav Taub 734 Tel: 8294318 Monday 13:30-14:30

Similar presentations

Presentation on theme: "Lecture 01 - Introduction Eran Yahav 1. 2 Who? Eran Yahav Taub 734 Tel: 8294318 Monday 13:30-14:30"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Lecture 01 - Introduction Eran Yahav 1. 2 Who? Eran Yahav Taub 734 Tel: 8294318 Monday 13:30-14:30

Similar presentations

Presentation on theme: "Lecture 01 - Introduction Eran Yahav 1. 2 Who? Eran Yahav Taub 734 Tel: 8294318 Monday 13:30-14:30"— Presentation transcript:

Similar presentations

About project

Feedback